4 Chairman s foreword Every citizen should feel confident that information about their health is securely safeguarded and shared appropriately when that is in their interest. Everyone working in the health and social care system should see information governance as part of their responsibility. Unfortunately that is not currently the case, as the Future Forum so clearly described in its report in January This strongly recommended to Government that a review of information governance should be commissioned, to include the current rules and their application. The Secretary of State for Health in England accepted the recommendation and asked me to conduct such a review independently. I had gained some familiarity with the issues when I chaired a Review in on the use of patient-identifiable data. We recommended six principles for the protection of people s confidentiality, which became known as the Caldicott principles. They included a recommendation that organisations should appoint someone to take responsibility for ensuring the appropriate security of confidential information. The people undertaking these responsibilities became known as Caldicott Guardians. My association with the subject developed in June 2011 when I became chairman of the National Information Governance Board during the final period of its existence before disestablishment in March There I heard first hand about concerns relating to information governance that arose during the passage through Parliament of the Health and Social Care Bill. The opportunity to undertake a further useful piece of work, affecting the delivery of the best care possible to our population and reassuring citizens that their information is in safe hands, was for me irresistible. In accepting the invitation, and having learned in how best to approach such a task to achieve a useful outcome, I decided to ask key organisations to suggest suitable individuals who would constitute a small panel of relatively expert members, individually independent too. 5

5 Information: To share or not to share? The Information Governance Review Our overarching aim has been to ensure that there is an appropriate balance between the protection of the patient or user s information, and the use and sharing of such information to improve care. I hope that the reader of this report will think that we have achieved some success to that end. It has been gratifying to learn, in the course of the Review, that the Caldicott principles continue to be valuable, but would benefit from minor amendments. The original report was written in 1997 when the service was more paternalistic and much less patient centred. Now citizens are a lot more concerned about what happens to their information; who has access to it, for what purposes is it used, and why isn t it shared more frequently when common sense tells them that it should be. The Future Forum s key recommendation relating to information governance stated that data sharing is vital for patient safety, quality and integrated care. We endorse this wholeheartedly and have been struck by the loss of confidence of many clinicians with whom we spoke, about when it is safe to share information and the safeguards that are required for sharing. It won t come as a surprise that, writing within a few weeks of the publication of the second Francis report on Mid Staffordshire NHS Foundation Trust, we were struck by the need for cultural change in the NHS. A re-balancing of sharing and protecting information is urgently needed in the patients and service users interests, which is supported by those citizens with whom we discussed these issues. There is clearly an urgent and ongoing need for education and training in this area for staff, and also for patients and service users. Given the imperative to meet the needs of an ageing population, particularly at the boundary between health and social care, it is crucial that systems for principled sharing of information are well understood. As the Health and Social Care Act 2012 takes effect public health, within its new managerial structure, must also be involved. There is imbalance in other parts of the system too. While the research community has protested in the past at perceived impediments to their endeavours deriving from information governance, they have worked hard to resolve these. Patients are generally keen to contribute to research but do want their consent obtained appropriately. 6

6 Chairman s foreword The new commissioning arrangements have highlighted concerns about identifiable information being sought excessively and used inappropriately. In all these situations the Panel has attempted to clarify, simplify where possible, and remind the reader of the law and the rules pertaining to confidential information and its uses. It has been a privilege to work with members of the Panel and the officers supporting our work. We all hope that this report will prove useful and the Secretary of State for Health will ensure that it is considered carefully, that our recommendations are implemented and monitored for the wellbeing of the population, and for the benefits in care that will be derived from research, appropriate commissioning of services, and policies in relation to the public s health. While we were asked to consider the issues in England, there is much in our report which should prove useful in all the jurisdictions of the United Kingdom. Fiona Caldicott March

7 Executive summary Chapter 1: Introduction People using health and social care services are entitled to expect that their personal information will remain confidential. They must feel able to discuss sensitive matters with a doctor, nurse or social worker without fear that the information may be improperly disclosed. These services cannot work effectively without trust and trust depends on confidentiality. However, people also expect professionals to share information with other members of the care team, who need to co-operate to provide a seamless, integrated service. So good sharing of information, when sharing is appropriate, is as important as maintaining confidentiality. All organisations providing health or social care services must succeed in both respects if they are not to fail the people that they exist to serve. The term used to describe how organisations and individuals manage the way information is handled within the health and social care system in England is information governance. In 1997 the Review of the Uses of Patient-Identifiable Information, chaired by Dame Fiona Caldicott, devised six general principles of information governance that could be used by all NHS organisations with access to patient information. The chapter sets out those principles, which have stood the test of time. It explains why the 1997 review gave priority to discouraging the uploading of personal information on to information technology systems outside clinical control. The issue of whether professionals shared information effectively and safely was not regarded as a problem at the time. NHS organisations responded by appointing Caldicott Guardians to ensure that information governance was effective. The practice spread to other public bodies, including local authorities and social care services, and the remit of the guardians was extended to provide oversight of information sharing among clinicians. Over recent years, there has been a growing perception that information governance was being cited as an impediment to sharing information, even when sharing would have been in the patient s best interests. In January 2012 the NHS Future Forum work stream on information identified this as an issue and recommended a review to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care. The Government accepted this recommendation and asked Dame Fiona to lead the work, which became known as the Caldicott2 review. The introduction sets out how the review has been conducted and puts it in the context of the Government s Information Strategy, the Health and Social Care Act 2012, the Open Data White Paper, the review of the NHS Constitution and other relevant initiatives. 9

8 Information: To share or not to share? The Information Governance Review Chapter 2: People s right to access information about themselves The Review Panel heard evidence that people s lack of access to their own records causes great frustration. We were told that patients who attempt to become involved in decisions about their care are often thwarted by information governance rules that ignore their express wishes. Examples included patients being charged a fee for access and patients being denied the opportunity to receive information in a form that suits them, such as by , or in an audio format that can be accessed by blind people. Problems mainly originated from local information governance policies, which vary between organisations. The chapter gives examples of good practice. It recommends that all communications between different health and social care teams should be copied to the patient or service user. There should be no surprises for the patient about who has had access. Chapter 2 notes that the The Power of Information, the Department of Health s Information Strategy, said people s access to their care records should be improved, with individuals gaining electronic access to their own care records where they request it, starting with GP records by 2015 and social care records as soon as IT systems allow. The Review Panel thinks this right of access should cover hospital records, community records and personal confidential data held by all organisations within the health and social care system. It believes that access should become available within the next decade. This will not automatically happen unless there is a clear plan for implementation. The chapter further recommends that an audit trail of everyone who has accessed a patient s personal confidential data should be made available in a suitable form to patients via their health and social care records. Chapter 3: Direct care of individuals When it comes to sharing information, a culture of anxiety permeates the health and social care sector. Managers, who are fearful that their organisations may be fined for breaching data protection laws, are inclined to set unduly restrictive rules for information governance. Front-line professionals, who are fearful of breaking those rules, do not co-operate with each other as much as they would like by sharing information in the interests of patients and service users. There is also a lack of trust between the NHS and local authorities and between public and private providers due to perceived and actual differences in information governance practice. This state of affairs is profoundly unsatisfactory and needs to change. The Review Panel found a strong consensus of support among professionals and the public that safe and appropriate sharing in the interests of the individual s direct care should be the rule, not the exception. 10

9 Executive summary Direct care is provided by health and social care staff working in care teams, which may include doctors, nurses and a wide range of staff on regulated professional registers, including social workers. Relevant information should be shared with them, when they have a legitimate relationship with the patient or service user. Care teams may also contain members of staff, who are not registered with a regulatory authority, but who may need access to a proportion of someone s personal data to provide care safely. Conditions and safeguards are discussed. The chapter considers the principles underpinning a professional s right to receive personal confidential information about a patient and share it with other professionals to optimise the patient s direct care. It finds the system works for the most part on the principle of implied consent. Examples of the use of implied consent include doctors and nurses sharing personal, confidential data during medical and nursing handovers without having to ask for the patient s explicit consent. A fuller discussion of the law of consent is provided in chapter 5. Chapter 3 goes on to discuss the sharing of information with care homes, carers, friends and family. It suggests that organisations should pay closer attention to the appropriate transfer of information when people move across institutional boundaries, such as leaving hospital, coming out of the army or prison, or changing their GP. The Review Panel looked at the problem confronting staff who have to distinguish between an individual such as a relative legitimately seeking information about a patient s progress and a blagger ; a person making improper inquiries. It recommends protocols to assist in good decision making and procedures for informing and helping people if mistakes are made. This chapter also explains how the use of personal confidential data for clinical audit can be managed within the law. It discusses arrangements for sharing information with geneticists to facilitate the direct care of patients with genetic problems. Chapter 4: Personal data breaches In the 12 months to the end of June 2012, 186 serious data breaches were notified to the Department of Health. Most involved the loss or theft of data, but almost one-third concerned unauthorised disclosures. Many of the breaches were reported through strategic health authorities and not through the Information Commissioner s Office (ICO), which has the power to impose financial penalties of up to 500,000. When strategic health authorities go out of existence, there will be a need for a new, consistent reporting channel to ensure that breaches of patients confidentiality do not escape the attention of senior managers, ministers and regulators of health and social care. 11

10 Information: To share or not to share? The Information Governance Review The ICO told the Review Panel that no civil monetary penalties have been served for a breach of the Data Protection Act due to formal data sharing between data controllers in any organisation for any purpose. It says breaches of the Data Protection Act are usually the result of lack of due consideration. Yet it finds that organisations frequently shy away from data sharing and cite data protection as a reason. The data sharing code produced by the ICO in May 2011 helps organisations to share data in a secure and proper way. They should use it. There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of every organisation in the health and social care system should publish all such data breaches, as part of the quality report in NHS organisations or as part of the annual report or performance report in non- NHS organisations. The chapter also considers the implication for data security of people s increasing use of social media. This has not changed any principles of confidentiality. However, there may be a need for greater vigilance among health and social care professionals as they switch from the personal side of their lives to the professional side. Chapter 5: Information governance and the law Every minute of every day, staff employed across health and social care services make lawful use of personal confidential data about patients and service users. For the most part, they do so on the legal basis of consent. They may have asked for the individual s explicit consent for a particular treatment or course of action. Or they may rely on implied consent. For example, when a patient agrees to the GP referring her to a hospital consultant, she can expect the GP to pass on details of the medical condition that requires the consultant s attention. The GP may legally assume she has given implied consent to the sharing of this information without having to ask her. These assumptions should only be made if it is reasonable to expect the patient understands how the information will be used. The Review Panel did not consider it necessary to challenge this long-established approach, although we think further effort is needed to increase patients understanding of how their personal confidential data is used. Chapter 5 sets out the four legal bases that may provide an organisation with a justification for holding and using personal confidential data. It recommends that the use of data without a legal basis, when one is required, should be reported and dealt with as a data breach. Chapter 5 also makes a recommendation urging all organisations in the health and social care system to explain to patients and the public how the personal information they collect could be used in de-identified form for research and other purposes. Such explanations should mention what rights the individual may have to refuse to give their consent. 12

11 Executive summary When people give, refuse or withdraw explicit consent, these decisions should be traceable and communicated to others involved in the individual s direct care. Patients can change their consent at any time. New rights and pledges were set out in the Government s consultation on revisions to the NHS Constitution. The Review Panel proposes that these rights and pledges should be extended to cover the whole health and social care system. Our proposal is set out below: You have the right of access to your own personal records within the health and social care system. You have the right to privacy and confidentiality and to expect the health and social care system to keep your confidential information safe and secure. You have the right to be informed about how your information is used. You have the right to request that your confidential data is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis. The NHS and adult social services also commit: to ensure those involved in your care and treatment have access to your health and social care data so they can care for you safely and effectively (pledge); to anonymise the data collected during the course of your care and treatment and use it to support research and improve care for others (pledge); where identifiable data has to be used, to give you the chance to object wherever possible (pledge); to inform you of research studies in which you may be eligible to participate (pledge); and to share with you any correspondence sent between staff about your care (pledge). This section also sets out the duties of staff to protect the confidentiality of personal information and to provide access to a patient s data to other relevant professionals, always doing so securely. Chapter 6: Research The existence of the NHS gives a big advantage to medical researchers in Britain. As a universal service free at the point of use, the NHS has a deep well of data covering almost all of the population, across the full spectrum of medical conditions. There is also enormous untapped potential in the information captured in social care records to support better research. The Review Panel examined how these opportunities might be realised without weakening confidentiality and trust. Researchers told us of their concern about the complexity, confusion and lack of consistency in the interpretation of the requirements they have to satisfy before research projects can proceed. However, we found there can be robust solutions to these problems that permit access to detailed patient information without compromising the confidentiality of individuals. 13

12 Information: To share or not to share? The Information Governance Review If data clearly identifies individuals, it must not be processed without a clear legal basis. If data is anonymised in line with the ICO s anonymisation code, it can be freely processed and publicly disclosed. However, there is a third class of data, which is of great interest to researchers, that on its own does not identify individuals, but could do so if it were to be linked to other information. This grey area includes data that has been de-identified by the use of pseudonyms or coded references, but could be re-identified when combined with other data. The Review Panel looked at solutions that allow such linkages to take place for the benefit of science without putting individuals confidentiality at risk. We recommend that the linkage of de-identified but still potentially identifiable information from more than one organisation should be done in specialist, well-governed, independently scrutinised environments known as accredited safe havens. Chapter 6 proposes national minimum standards for safe havens, supported by a system of external independent audit and other requirements to give the public confidence. The Health and Social Care Act 2012 provides for the Information Centre for Health and Social Care (the Information Centre) to become a safe haven. Chapter 6 considers whether it will have capacity to deal with the amount of data linkage that will be needed in the new health and social care system, or whether other safe havens should be established. The chapter also looks at how researchers can set about identifying people with particular characteristics to invite them to take part in clinical trials. Chapter 7: Commissioning Commissioners cannot organise the improvement of services unless they know quite a lot about the people using them. For example, they may want to build new care pathways that are better suited to people s needs. However, knowing about service users need not necessarily require commissioners to know their identities. The arrangements for NHS and local authority commissioners to extract information were in a state of rapid, comprehensive change during the period of this Review, as the NHS Commissioning Board, clinical commissioning groups, Public Health England and local authorities prepared to take on the responsibilities set out for them in the Health and Social Care Act The chapter focuses primarily on the challenge facing NHS commissioners, however the Review Panel conclude that commissioners in local authorities and Public Health England must adhere to the same standards, guidance and good practice and be subject to the same penalties for poor practice as the NHS when commissioning services. The Review Panel found a lack of consensus on the need for identifiable data to be used for commissioning purposes. However, after doing detailed work with primary care trusts, clusters and the NHS Commissioning Board, the Review Panel concluded that all the objectives set for commissioning over the years ahead can be achieved without compromising patients confidentiality or the public s trust in the health and social care system. 14

13 Executive summary The NHS Commissioning Board suggested that the use of personal confidential data for commissioning purposes would be legitimate because it would form part of a consent deal between the NHS and service users. The Review Panel does not support such a proposition. There is no evidence that the public is more likely to trust commissioners to handle personal confidential data than other groups of professionals who have learned how to work within the existing law. The Review Panel found that commissioners do not need dispensation from confidentiality, human rights and data protection law since, with little effort, they can operate perfectly well within it. For example, there are situations in which the commissioner will need personal confidential data to help people deal with individual care problems. It might be to help someone who is requesting NHS funding for continuing care after leaving hospital, or an individual funding request for drugs that are not generally available on the NHS in that area. In such cases it is entirely reasonable for the NHS to ask for the patient s explicit consent for NHS staff handling the case to be able to look at the patient s personal confidential data. In other situations, local commissioners may be able to use safe havens, within which the personal information they want to assess may be anonymised without risk of anyone s sensitive data being disclosed. For example a clinical commissioning group might want to consider individual cases in order to monitor health inequalities, but it can do this using anonymised information. The Review Panel deliberated with the NHS Commissioning Board and other organisations about a proposal for up to 10 Data Management Information Centres (DMICs) to act as safe havens where confidential private data would be anonymised so that it could safely be made available to local commissioners. This chapter considers how staff in the DMICs might process data lawfully through integration with the Information Centre to ensure that their activities are sanctioned by statute and to maintain public trust in the security of personal information. The Review Panel recommends that members of the NHS Commissioning Board, Clinical Commissioning Groups and members and officers in local authorities, should ensure their organisation complies with the legal and statutory framework for information governance, with boards, or equivalent bodies being formally responsible for their organisation s standards and practice on information governance. Chapter 8: Public health Healthcare professionals who are responsible for health protection sometimes need to know personal confidential data about specific individuals. For example during an outbreak of an infectious disease, public health staff may need to identify individuals who are at risk. This side of public health resembles the direct care of patients and service users that was considered in chapter 3. While engaged in this work, healthcare professionals can be considered to have a legitimate relationship with people in the communities they serve. It 15

14 Information: To share or not to share? The Information Governance Review would be impractical for them to ask everyone at risk from an infectious disease to give specific consent for staff to provide appropriate information and care. Preventing the spread of infection is in the public interest and therefore the use of personal confidential data for this purpose has been provided with statutory support. This justification for accessing personal confidential data does not apply to other aspects of public health work. Health improvement programmes can provide value to the community by contributing to longer life expectancy, healthier lifestyles and reduced inequalities in health, but they cannot be considered equivalent to the direct care of patients. Most health improvement activities in public health do not require personal confidential data about individuals. However, understanding the complex relationships that exist between the environment, personal behaviours and disease requires information that can only be derived by linking data from several different sources. This side of public health resembles research and the Review Panel considers that the rules and procedures that have developed to provide the information governance for research can usefully be applied to public health intelligence. A third dimension of public health is to assist people planning healthcare services to understand the health needs of the local population. This activity resembles commissioning. Although some patient level detail is needed, patients themselves do not need to be identified. There is a lack of regulatory coherence across the public health arena. Some registries, including cancer registries, have statutory regulatory powers; others operate on a basis of consent. The Review Panel suggests detailed and consistent remedies. Chapter 9: Education and training Across the health and social care system, most staff are required to undertake annual training in information governance. The commitment to training is important and the associated training budget is a welcome enabler. However, the Review Panel discovered that the mandatory training is often a tick-box exercise. One nurse told us the experience was equivalent to an annual sheep dip, which staff could go through without thinking. There needs to be a fundamental cultural shift in the approach to learning about information governance. Health and social care professionals should be educated and not simply trained in effective policies and processes for sharing of information. They should have formal information governance education focused on their roles, and this should be at both undergraduate and postgraduate level. This education should include a professional component explaining why there may be a duty to share information in the interests of the patient, as well as the legal aspects of the common law of confidentiality, the Data Protection Act and Human Rights Act. 16

15 Executive summary Networks of information governance leads should be strengthened and extended to foster greater mutual learning from experience across the health and social care system. In addition to the standard training and education, Caldicott Guardians need to demonstrate continuous professional development in information governance on an annual basis. The chapter proposes education and training for non-registered staff and continuous professional development for senior managers to ensure they understand the practical information governance challenges their staff face. It notes that information governance is often the responsibility of one person within an organisation, who may feel isolated. In many cases, the role is filled by inexperienced or relatively junior staff, or is one role among many that an individual must perform. The Review Panel concluded that information governance specialists should work together to establish a community of practice that could improve knowledge to solve practical challenges, develop trust in the information governance function and remove isolation. Chapter 10: Children and families The safeguarding of children is a well-established system, underpinned by legislation, which requires professionals to share information about a child whenever there is cause for concern. Arrangements for sharing require constant vigilance by the relevant professionals. It has become clear, however, that professionals dealing with children and families encounter particular issues of information governance that are not covered elsewhere in this report. This chapter deals with a series of dilemmas involving children. It references work done by the Royal College of General Practitioners to address the vexed issue of when automatic parental access to the child s medical record should be turned off and when the child s automatic access should be activated upon their reaching sufficient maturity. Other dilemmas include the extent to which individual members of a family should have access to the family records. These records have become an important dimension of children s social care following the Munro Review. The question is how to provide information to each individual family member without compromising the confidentiality of other family members. In order to provide effective care for children, information often needs to be shared beyond the normal boundaries of health and social care services, in particular taking in organisations such as schools. The Review Panel concludes that there would be clear benefits if a single, common approach to sharing information for children and young people could be adopted. The Department of Health should work with the Department for Education to investigate jointly ways to improve the safe sharing of information between health and social care services and schools and other services relevant to children and young people, through the adoption of common standards and procedures for sharing information. The departments should involve external regulators in this work including the Care Quality Commission and Ofsted. 17

16 Information: To share or not to share? The Information Governance Review Government policy is increasingly seeking to use information to identify individuals or groups of people, such as families, who may benefit from specific help or early intervention. Generally, the aim of these interventions is to address problems these individuals and groups may be facing before they can escalate, potentially causing harm to themselves, their communities, or wider society. Identifying these people often requires extensive sharing, linkage and analysis of personal confidential data. The Review Panel concludes that significant lessons regarding data sharing might be learned from public health and research communities. It suggests that the definitions of prevention adopted in the influential study of public health by the Commission on Chronic Illness could be adapted to cover social welfare interventions. Chapter 11: New and emerging technologies Increasing numbers of patients are benefiting from new technologies that permit virtual consultations with a clinician, using the telephone, s or video links. There is also a rapidly expanding range of medical devices that use software or other technologies to record data about a patient when a clinician or other professional is not present. These devices then make the information available to the professional. The Review Panel found a lack of clarity about a patient s right to access the record of virtual consultations and uncertainty about how long records would be kept. It proposes ground rules for ensuring patients have access to information about themselves. Providers offering virtual consultation services should be able to share, when appropriate, relevant digital information from the patient, with registered and regulated health or social care professionals responsible for the patient s care. Medical devices permitting the monitoring of a patient s condition from a remote location present challenges, but do not raise new issues of information governance. The personal confidential data gathered through these new processes and technologies must be treated in exactly the same way as any other personal confidential data, and providers of these services must adhere to the existing legislation and best practice. The NHS Commissioning Board and clinical commissioning groups and local authorities should ensure that services using these new technologies are conforming to best practice with regard to information governance and will do so in the future. Chapter 12: Data management There are many good reasons why organisations in health and social care need good quality data. Patients are at risk if clinicians base their decisions on inadequate data. Dangers multiply if there is poor handover of information between care teams or conflicting advice to patients from professionals. The Review Panel welcomes the focus that professional bodies for health and social care are placing on data quality. The issue is particularly relevant to this review because poor data is so often cited as the reason why people running services want to reach for the files of individuals. To find out the truth, they want information about real people that includes personal confidential data. 18

17 Executive summary The best solution is not to give them dispensation to ignore or circumvent legal requirements. It is to improve data quality standards. If data quality is sound, a pseudonym may be used to link data and thus protect the identity of an individual. The Review Panel endorses the First National Data Quality Report of the Quality Information Committee of the National Quality Board, which seeks improvements in data quality in the health and social care system. The chapter summarises some important aspects of the Administrative Data Taskforce report on improving access for research and policy published in 2012, with the Review Panel endorsing a number of that report s conclusions. It also examines the sharing of data to safeguard children and adults and special considerations affecting data about the unborn. The Review Panel calls for consistency in the information governance requirements for providers. It recommends that every health and social care organisation should be required to publish a declaration signed by the board or equivalent body, describing what personal confidential data it discloses and to whom and for what purpose. The chapter seeks to clarify the legal framework for sharing personal confidential data. The Review Panel concludes that individuals should have the same level of protection under the law whether personal confidential data is shared between health service bodies, or whether the sharing is between a health service body and a non-health service body. The Review Panel also recommends that the Department of Health commission a standard template common across the health and social care system for setting up data sharing agreements, to prevent unnecessary duplication of effort. The chapter also suggests practical arrangements to secure the safety of records when a provider s contract comes to an end and sets out the protections and safeguards which exist to prevent inappropriate sharing of patient s information with organisations such as insurers. Chapter 13: System regulation and leadership From an information governance perspective, there is currently no method of regulating the health and social care system as a whole. The Review Panel saw an opportunity for the Information Commissioner s Office and the Care Quality Commission to work together in ensuring the health and social care system is properly monitored and regulated in this regard. The process should be balanced, proportionate and utilise the existing and proposed duties within the health and social care system in England. This chapter sets out three minimum components. The Review Panel calls on professional regulators to be involved more often in dealing with cases of poor information sharing that disadvantage patients. 19

18 Information: To share or not to share? The Information Governance Review The Information Centre is to become responsible for producing and maintaining a code of practice on collecting, analysing, publishing or disclosing confidential information. It should adopt the standards and good practice guidance contained within the green-boxed sections of this report. The Informatics Services Commissioning Group (ISCG) is responsible for providing advice on commissioning informatics services across the health and social care system. It is proposed that a sub-group of the ISCG is established to provide specialist expertise, advice and support on information governance. The Review Panel welcomes this proposal. The health and social care system should adopt an agreed set of terms and definitions for information sharing that everyone, including the public, should be able to use and understand. Chapter 14: Conclusions and recommendations In addition to the findings of individual chapters, the Review Panel reaches some overarching conclusions. After consideration of what safeguards exist to protect people s confidential information and what means of redress are available if mistakes are made, the final chapter sets out how redress should be managed by every organisation in the health and social care system in England. There was widespread support for the original Caldicott principles, which are as relevant and appropriate for the health and social care system today as they were for the NHS in However, evidence received during the Review persuaded the Panel of the need for some updating, and inclusion of an additional principle. The revised list of Caldicott principles therefore reads: 1. Justify the purpose(s) Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. 2. Don t use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). 3. Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. 20

19 Executive summary 4. Access to personal confidential data should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. 5. Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data both clinical and non-clinical staff are made fully aware of their responsibilities and obligations to respect patient confidentiality. 6. Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. 7. The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. These principles should underpin information governance across the health and social care services. The Review Panel also concludes that the Secretary of State and the Department of Health should oversee the implementation of the recommendations of this review, and report on the progress made. This section finishes by listing the full set of recommendations from the Information Governance Review. 21

20 Information: To share or not to share? The Information Governance Review A guide on using this report This report is best read in sequence, as the principles, conclusions and information governance concepts established in earlier chapters are relevant to later ones. The recommendations from the Review Panel are embedded within each chapter to provide context. A complete list is also contained in chapter 14, at the end of the report for reference. Within each chapter, the key conclusions that the Review Panel arrived at are highlighted in bold text. Finally, there are a number of sections of text within green boxes throughout this report. These contain suggested professional standards or good practice for information governance endorsed by the Review Panel. The guidance in this report is intended to help health and social care professionals and staff in sharing information appropriately in their day-to-day activities. There will however, always be exceptional and difficult circumstances where solutions are not obvious. In these situations, professionals and staff should seek advice from Caldicott Guardians or their professional bodies, and use their judgement to act in the best interests of their patients and clients. 22

Information: To Share or not to Share Government Response to the Caldicott Review September 2013 You may re-use the text of this document (not including logos) free of charge in any format or medium, under

Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

Request for feedback on the revised Code of Governance for NHS Foundation Trusts Introduction 8 November 2013 One of Monitor s key objectives is to make sure that public providers are well led. To this

The National Health Service Constitution A draft for consultation, July 2008 NHS Constitution The NHS belongs to the people. It is there to improve our health, supporting us to keep mentally and physically

for England 21 January 2009 2 NHS Constitution The NHS belongs to the people. It is there to improve our health and well-being, supporting us to keep mentally and physically well, to get better when we

The Leeds Teaching Hospitals NHS Trust Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS 1. Introduction The Research Governance Framework for Health & Social

NHS Constitution Patients and the public your rights and NHS pledges to you Everyone who uses the NHS should understand what legal rights they have. For this reason, important legal rights are summarised

Briefing note: July 2012 The importance of nurse leadership in securing quality, safety and patient experience in CCGs Introduction For the NHS to meet the challenges ahead, decisions about health services

This Fitness to Study Procedure has three stages depending on the perceived level of risk, the severity of the problem and the student s engagement with efforts to respond to it. In urgent cases, at the

Policy backdrop to the Quality Outcomes workstream Over recent years there have been increasing calls for greater collection of health outcomes data and wider use of such data. The establishment of the

HOW WE USE YOUR PERSONAL INFORMATION Information Leaflet Your Health. Our Priority. Page 2 of 9 Introduction This Leaflet explains why the NHS collects information about you and how it is used, your right

Code of Ethics for Pharmacists and Pharmacy Technicians About this document Registration as a pharmacist or pharmacy technician carries obligations as well as privileges. It requires you to: develop and

Data and Information Sharing Protocol and Agreement for Agencies Working with Children and Young People to March 2014 Growing the right way for a bigger, better Peterborough Contents Executive Summary:

National Standards for Safer Better Healthcare June 2012 About the Health Information and Quality Authority The (HIQA) is the independent Authority established to drive continuous improvement in Ireland

Statutory duty of candour with criminal sanctions Briefing paper on existing accountability mechanisms Background In calling for the culture of the NHS to become more open and honest, Robert Francis QC,

Accessing Personal Information on Patients and Staff: A Framework for NHSScotland Purpose: Enabling access to personal and business information is a key part of the NHSScotland Information Assurance Strategy

Overview This standard identifies the requirements associated with leading and managing change within care services. It includes the implementation of a shared vision for the service provision and using

PRINCIPLES FOR HIGH QUALITY INTERPRETING AND TRANSLATION SERVICES [VERSION 1.19] POLICY STATEMENT The NHS is committed to providing high quality, equitable, effective healthcare services that are responsive

NATIONAL INFORMATION BOARD Personalised Health and Care 2020 WORK STREAM 4 ROADMAP Build and sustain public trust Deliver roadmap to consent based information sharing and assurance of safeguards June 2015

Lead the performance management of care service provision Overview This standard identifies the requirements when leading and managing the performance of the care service provision. It includes identifying

WSIC Integrated Care Record FAQs How your information is shared now Today, all the places where you receive care keep records about you. They can usually only share information from your records by letter,

Code of Professional Conduct and Ethics for Social Workers Bord Clárchúcháin na noibrithe Sóisialta Social Workers Registration Board 1 Code of Professional Conduct and Ethics for Social Workers Contents

Whistleblowing Policy Number: THCCG00XX Version: 0d6 This policy covers the right and duty of members of the CCG and CCG employees to raise any matters of concern that they may have about health issues

Code of Conduct A Physician Assistant (now associate) (PA) is defined as someone who is: a new healthcare professional who, while not a doctor, works to the medical model, with the attitudes, skills and

Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

October 2010 Practice Note 10 (Revised) AUDIT OF FINANCIAL STATEMENTS OF PUBLIC SECTOR BODIES IN THE UNITED KINGDOM The Auditing Practices Board (APB) is one of the operating bodies of the Financial Reporting

December 2012 Developing the AMRC response to the consultation on the NHS Constitution The government is updating the NHS Constitution so that it will better reflect the legal rights and responsibilities

Mencap s briefing on the draft care and support bill Mencap is the UK s leading learning disability charity, working with people with a learning disability, their families and carers. We want a world where

Promote your organisation and its services to stakeholders Overview This standard identifies the requirements when promoting your organisation and the services it provides to a range of stakeholders. The

Guidance on nominating a consultee for research involving adults who lack capacity to consent Issued by the Secretary of State and the Welsh Ministers in accordance with section 32(3) of the Mental Capacity

Lead and manage service provision that promotes the well being of Overview This standard identifies the requirements associated with leading and managing practice that supports the health and well being

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH These notes are designed to be used in conjunction with the core training PowerPoint slides. The purpose of the

Information sharing Advice for practitioners providing safeguarding services to children, young people, parents and carers March 2015 Contents Summary 3 About this government advice 3 Who is this advice

A document of the SHIP Information Governance Working Group The objectives of this document This document is a statement of agreed guiding principles for governance and instances of best practice arising

Clinical governance is defined as: CLINICAL GOVERNANCE POLICY A framework through which NHS organisations are accountable for continually improving the quality of their services and safeguarding high standards

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH Council of Australian Governments An agreement between the Commonwealth of Australia and the States and Territories, being: The State of New South Wales The State

Activities for MANAGERS Australian Safety and Quality Framework for Health Care Putting the Framework into action: Getting started Contents Principle: Consumer centred Area for action: 1.1 Develop methods

Improving the Performance of Doctors Complaints Investigations and Remediation SHARING INFORMATION WITH PATIENTS AND CARERS HAPIA GOOD PRACTICE GUIDE 2014 HEALTHWATCH AND PUBLIC INVOLVEMENT ASSOCIATION

MEDICAL INNOVATION BILL 1. Introduction The Academy of Medical Royal Colleges (the Academy) speaks on standards of care and medical education across the UK. By bringing together the expertise of all the

Lead and manage the provision of care services that deals effectively with transitions and significant life events Overview This standard identifies the requirements associated with leading and managing

Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing

Guidelines on endorsement as a nurse practitioner 7160 Introduction The National Registration and Accreditation Scheme (the National Scheme) for health professionals in Australia commenced on 1 July 2010

A report on the investigation into the General Dental Council s handling of a whistleblower s disclosure about the Investigating Committee 21 December 2015 About the Professional Standards Authority The

Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

Decision Support Tool for NHS Continuing Healthcare User Notes July 2009 1 Decision Support Tool for NHS Continuing Healthcare We have developed the Decision Support Tool (DST) to support practitioners

BRITISH BASKETBALL 1. Introduction Context: INDEPENDENT BOARD DIRECTOR JOB DESCRIPTION The goal of British Basketball is to create a world class elite basketball programme in Great Britain and to create

H5RE 04 (SCDHSC0437) Promote Your Organisation and Its Services to Stakeholders Overview This standard identifies the requirements when promoting your organisation and the services it provides to a range

Appendix 14 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT The Code This Code sets out the principles of good corporate governance, and two levels of recommendations: code provisions; and recommended

INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA

Requesting amendments to health and social care records National Information Governance Board for Health and Social Care Guidance for patients, service users and professionals Contents About this guidance